Snort mailing list archives
What are "detect", " rule eval" stand for in the profiling result of Snort preprocessor?
From: Ricky Li <ricky.li.net () gmail com>
Date: Wed, 10 Jun 2015 10:23:57 +0800
Hi I try to test the performance of Snort with different rule set. So I picked two rule sets: 1) Snort VRT set (https://www.snort.org/downloads/#rule-downloads) 2) ET (Emerging Threat) Open rule set ( http://www.emergingthreats.net/open-source/etopen-ruleset) I use the same input traffic and same configuration for the two cases, only difference is the "# site specific rules" section (rule files contained in the "rules" folder). For case 1) I used Snort VRT rules and for case 2) I used the ET Open rules. But the test result are quite different, the packets processed per second (PPS) of ET rule set is only 10% of Snort VRT rule set. The preprocessor profiling results for case 2), the ET Open rule set is like: Preprocessor Profile Statistics (worst 20) ========================================================== Num Preprocessor Layer Checks Exits Microsecs Avg/Check Pct of Caller Pct of Total === ============ ===== ====== ===== ========= ========= ============= ============ 1 detect 0 504840 504840 64274120 127.32 94.48 94.48 1 rule eval 1 2737825 2737825 59599382 21.77 92.73 87.61 1 rule tree eval 2 3252182 3252182 59297083 18.23 99.49 87.16 1 session 3 504810 504810 432874 0.86 0.73 0.64 2 content 3 439184 439184 175567 0.40 0.30 0.26 The top 3: detect, rule eval, and rule tree eval are very slow, and their percentage of total are all close to 100%! So I have some questions: 1) What are the item "detect", "rule eval", "rule tree eval" exactly stand for? Is there any document introducing them? 2) Base on the profiling result above, why those three items take some much resource? How to tune/optimize it? 3) For the performance gap between Snort VRT rule set and the third-party ET Open rule set, is it because Snort has some internal optimization for Snort VRT rule set (like some rule parsing engines) inside Snort program? So it has better performance for Snort VRT rule set, compared with other third-party rules. Thank you very much for your kindly help and answers! Regards, Ricky
------------------------------------------------------------------------------
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- What are "detect", " rule eval" stand for in the profiling result of Snort preprocessor? Ricky Li (Jun 09)
- Re: What are "detect", " rule eval" stand for in the profiling result of Snort preprocessor? Victor Roemer (Jun 10)